3 Replies Latest reply on Sep 10, 2020 10:06 AM by Duncan Grisby

    Return specific package info along with Host info returned in raw query

    Raw Query
      Share This:

      I'm using the following raw query search as somewhat of a dashboard view of systems I monitor and it runs great.

       

      search Host where os has subword 'Microsoft Windows 10' show name, vendor,serial,

      #Container:Containment:ContainedDrive:DiskDrive.serial as 'HDDisk SN',

      #DeviceWithAddress:DeviceAddress:IPv4Address:IPAddress.ip_addr,

      #DeviceWithAddress:DeviceAddress:IPv4Address:IPAddress.netmask,

      #DeviceWithInterface:DeviceInterface:InterfaceOfDevice:NetworkInterface.default_gateway,

      #DeviceWithInterface:DeviceInterface:InterfaceOfDevice:NetworkInterface.#EdgeClient:NetworkLink:EdgeDevice:NetworkInterface.name as 'Connected to PortSwitch',

      #DeviceWithAddress:DeviceAddress:IPv4Address:IPAddress.#DeviceOnSubnet:DeviceSubnet:Subnet:Subnet.#ElementInLocation:Location:Location:Location.name as 'Location',

       

      I'd like to add two more lines at the end; each returning the version of two particular packages (if installed) that I need to monitor for. I tried to add #Host:HostedSoftware:InstalledSoftware:Package.name but it returns a list of installed packages in the column.

       

      Is there a way to filter what's returned from #Host:HostedSoftware:InstalledSoftware:Package.name and then return the version?

       

      Sudo example of what im  trying to come up with (or at least how I imagine in my head):

      #BlahBlahBlahisSoftware1installed?ifsoDisplayVersion

      #BlahBlahBlahisSoftware2installed?ifsoDisplayVersion

       

      or something like

       

      (#Host:HostedSoftware:InstalledSoftware:Package where name has subword 'MYSOFTWARE1').version

      (#Host:HostedSoftware:InstalledSoftware:Package where name has subword 'MYSOFTWARE2').version

       

      I know that's not the correct syntax to use but anyone on here with programming experience may understand what I'm trying to do here

      I'm unfortunately not super familiar with the discovery or its query syntax, I just dabble in discovery queries because the info it provides is so helpful and saves a lot of time.

       

      Any pointers?

       

        • 1. Re: Return specific package info along with Host info returned in raw query
          Danny Fleer

          Try this:

           

          search Host
          with (traverse Host:HostedSoftware:InstalledSoftware:Package as FilteredPackage where name in ['Package Name 1', 'Package Name 2'])
          where os has subword 'Microsoft Windows 10'
          show name, vendor,serial,
          #Container:Containment:ContainedDrive:DiskDrive.serial as 'HDDisk SN',
          #DeviceWithAddress:DeviceAddress:IPv4Address:IPAddress.ip_addr,
          #DeviceWithAddress:DeviceAddress:IPv4Address:IPAddress.netmask,
          #DeviceWithInterface:DeviceInterface:InterfaceOfDevice:NetworkInterface.default_gateway,
          #DeviceWithInterface:DeviceInterface:InterfaceOfDevice:NetworkInterface.#EdgeClient:NetworkLink:EdgeDevice:NetworkInterface.name as 'Connected to PortSwitch',
          #DeviceWithAddress:DeviceAddress:IPv4Address:IPAddress.#DeviceOnSubnet:DeviceSubnet:Subnet:Subnet.#ElementInLocation:Location:Location:Location.name as 'Location',
          #FilteredPackage.name as 'Filtered Packages'
          

           

          You have to provide the names of the packages you want to includein line 2.

          2 of 2 people found this helpful
          • 2. Re: Return specific package info along with Host info returned in raw query
            Raw Query

            That's almost what I'm looking for I just need to tweek it somehow so that each piece of software shows in a separate column.

             

            I tried this:

             

            search Host

            with (traverse Host:HostedSoftware:InstalledSoftware:Package as FilteredPackage where name in ['Software1'])

            with (traverse Host:HostedSoftware:InstalledSoftware:Package as FilteredPackage2 where name in ['Software2'])

            where os has subword 'Microsoft Windows 10'

            show name, vendor,serial,

            #Container:Containment:ContainedDrive:DiskDrive.serial as 'HDDisk SN',

            #DeviceWithAddress:DeviceAddress:IPv4Address:IPAddress.ip_addr,

            #DeviceWithAddress:DeviceAddress:IPv4Address:IPAddress.netmask,

            #DeviceWithInterface:DeviceInterface:InterfaceOfDevice:NetworkInterface.default_gateway,

            #DeviceWithInterface:DeviceInterface:InterfaceOfDevice:NetworkInterface.#EdgeClient:NetworkLink:EdgeDevice:NetworkInterface.name as 'Connected to PortSwitch',

            #DeviceWithAddress:DeviceAddress:IPv4Address:IPAddress.#DeviceOnSubnet:DeviceSubnet:Subnet:Subnet.#ElementInLocation:Location:Location:Location.name as 'Location',

            #FilteredPackage.version as 'Software1'

            #FilteredPackage2.version as 'Software2'

             

            but it's erroring out. I just need to play around with it to see if I can figure out how to separate the two pieces of software in separate columns.

             

            Thanks so much Danny!

            • 3. Re: Return specific package info along with Host info returned in raw query
              Duncan Grisby

              The syntax is just slightly wrong. There are two errors. In the with expression, you should only use the word "with" once, and separate the expressions with a comma:

               

              search Host

              with (traverse Host:HostedSoftware:InstalledSoftware:Package as FilteredPackage where name in ['Software1']),

                   (traverse Host:HostedSoftware:InstalledSoftware:Package as FilteredPackage2 where name in ['Software2'])

              where os has subword 'Microsoft Windows 10'

              ...

               

              the other error is that you are missing a comma between the last two parts of the show clause, so it should be

               

              ...

              #DeviceWithAddress:DeviceAddress:IPv4Address:IPAddress.#DeviceOnSubnet:DeviceSubnet:Subnet:Subnet.#ElementInLocation:Location:Location:Location.name as 'Location',

              #FilteredPackage.version as 'Software1',   // <- note the comma there

              #FilteredPackage2.version as 'Software2'

               

              Also, it doesn't matter to the evaluation, but if you are only matching a single name, it would be better to use name = 'Software1' rather than name in ['Software1'].

              3 of 3 people found this helpful